Owing to development of computer engineering and networks, the issue related to detection of cyber attacks becomes increasingly important.
At the present moment there are various technologies related to detection of cyber attacks in which file, network traffic, and behaviour analysis is used. Such technologies enable rather effective detection of attacks within the protected network segment. However, there emerges a need for detection and tracing of attacks even in those segments in which there are no means of detection of such attacks.
In order to detect network attacks in unprotected resources it is possible to plant malware which is able to receive instructions from remote control servers in which targets to be attacked and attack parameters are specified. However, such approach has some disadvantages and restrictions:
When planting malware, one need to wait until it calls a remote server for instructions or launches an attack. Depending on specific settings of the malware, the interval of interaction with the remote server may take from several minutes to several hours.
To continuously analyze commands received from a specific control server, the computer with malware is typically turned on continuously.
Instructions received from a control server may be encrypted or encoded.
In order to analyze instructions from many control servers sent to various types of malware, an isolated environment is typically maintained for each piece of malware, otherwise such pieces of malware may conflict with each other.
U.S. Pat. No. 9,443,075-B2 (applicant: MITRE Corp; published on Sep. 13, 2016) discloses a method of interception of and application to malware that can be adapted to activity of a specific piece of malware in a compromised computer system. This technical solution analyzes traffic between the infected computed and the server, thus, narrowing the covered area as it becomes impossible to examine malicious links that have never been encountered in the protected system. Manual reverse-engineering of the protocol of interaction of malware and the server, which interferes with automation of the analysis process is another specific feature of this solution.